1748224 Members
4517 Online
108759 Solutions
New Discussion юеВ

diff bet the /etc/shadow

 
wish_1
Frequent Advisor

diff bet the /etc/shadow

dear all

i want to know is there any diff between the /etc/passwd and /etc/shadow in hp-ux with other OS's such (AIX, Solaris, Linux...)

if any? what is the diff?

thanks in adv.
regards
wish
7 REPLIES 7
IT_2007
Honored Contributor

Re: diff bet the /etc/shadow

HP-UX doesn't have /etc/shadow file. Only it uses /etc/password file in non-trusted environment.
A. Clay Stephenson
Acclaimed Contributor

Re: diff bet the /etc/shadow

Where it is implemented, no; however, very few HP-UX boxes actually use a shadowed passwd file (although there is a patch to enable it). HP-UX's normal approach is to use a Trusted database (TCB) that does more than an /etc/shadow file in that many more attributes are stored but, in addition, the users' password hashes are stored under /tcb as well and are only readable by root.
If it ain't broke, I can fix that.
A. Clay Stephenson
Acclaimed Contributor

Re: diff bet the /etc/shadow

Well since HP-UX doesn't have shadowed passwords, I wonder what this does?

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

However, as I mentioned before, the typical HP-UX is to use TCB rather than this solution.
If it ain't broke, I can fix that.
Bill Hassell
Honored Contributor

Re: diff bet the /etc/shadow

/etc/shadow can be installed on HP-UX and is essentially the same as other Unix systems -- with all the incumbent limitations like no password formation controls, only trivial expiration, no limitations of login periods, no password history, etc. In today's complex security environments, the legacy /etc/shadow method is not adequate, one of the reasons HP chose the TCB method for security many years ago. Legacy programs may not run in HP's TCB environment, but I view that as a good thing.


Bill Hassell, sysadmin
doug hosking
Esteemed Contributor

Re: diff bet the /etc/shadow

The answers re the feature sets vary somewhat from release to release. It is true that the initial web release of shadow password support supported a restricted subset of the trusted mode features. Longer term, trusted mode is being phased out, with its features generally being supported by userdb (see http://docs.hp.com/en/5991-1101/ch08s08.html), such that they can be used in combination with an /etc/shadow file. Userdb provides a more extensible way of adding per-user attributes. The intent is that users can get a broader range of features with fewer compatibility and code portability issues. See security(4) and userdb(4) on your specific version of HP-UX for the latest information on the supported feature sets. http://docs.hp.com/en/5991-0791/ch01s01.html has additional information.

inventsekar_1
Respected Contributor

Re: diff bet the /etc/shadow

# man pwconv

pwconv(1M) pwconv(1M)

NAME
pwconv - install, update or check the /etc/shadow file

# pwconv

*Warning*: There is a restriction on the use of shadow password
functionality in this release of HP-UX. Failure to consider this
limitation may lead to an inability to log in to the system after
the conversion is performed. A system converted to use shadow
passwords is not compatible with any repository other than files
and ldap. This means that the passwd entry in the nsswitch.conf
file must not contain nis, nis+, or dce.

Would you like to proceed with the conversion? (yes/no):

11.23 box.
is HPUX doesnt support shadow passwd file?
it seems that pwconv can convert /etc/passwd to /etc/shadow.

Be Tomorrow, Today.
doug hosking
Esteemed Contributor

Re: diff bet the /etc/shadow

Sekar, 11.23 does support shadow passwords in a limited context, after installing the shadow password bundle. The message you quote summarizes the restrictions.